1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
# Copyright 2021 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
# See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/uapi/drm/msm_drm.h for upstream definitions
include <drm/msm_drm.h>
resource fd_msm[fd]
# This either comes from a MSM_GEM_SUBMIT ioctl described below or from a kms
# ioctl creating an OUT_FENCE_PTR (see drivers/gpu/drm/drm_atomic_uapi.c and
# https://www.kernel.org/doc/html/latest/gpu/drm-kms.html for more details)
# Once fences are described this should be updated to an fd_drm_fence.
openat$msm(fd const[AT_FDCWD], file ptr[in, string["/dev/msm"]], flags flags[open_flags], mode const[0]) fd_msm
ioctl$DRM_IOCTL_MSM_GET_PARAM(fd fd_msm, cmd const[DRM_IOCTL_MSM_GET_PARAM], arg ptr[inout, drm_msm_param])
ioctl$DRM_IOCTL_MSM_GEM_NEW(fd fd_msm, cmd const[DRM_IOCTL_MSM_GEM_NEW], arg ptr[inout, drm_msm_gem_new])
ioctl$DRM_IOCTL_MSM_GEM_INFO(fd fd_msm, cmd const[DRM_IOCTL_MSM_GEM_INFO], arg ptr[inout, drm_msm_gem_info])
ioctl$DRM_IOCTL_MSM_GEM_CPU_PREP(fd fd_msm, cmd const[DRM_IOCTL_MSM_GEM_CPU_PREP], arg ptr[in, drm_msm_gem_cpu_prep])
ioctl$DRM_IOCTL_MSM_GEM_CPU_FINI(fd fd_msm, cmd const[DRM_IOCTL_MSM_GEM_CPU_FINI], arg ptr[in, drm_msm_gem_cpu_fini])
ioctl$DRM_IOCTL_MSM_GEM_SUBMIT(fd fd_msm, cmd const[DRM_IOCTL_MSM_GEM_SUBMIT], arg ptr[inout, drm_msm_gem_submit])
ioctl$DRM_IOCTL_MSM_WAIT_FENCE(fd fd_msm, cmd const[DRM_IOCTL_MSM_WAIT_FENCE], arg ptr[in, drm_msm_wait_fence])
ioctl$DRM_IOCTL_MSM_GEM_MADVISE(fd fd_msm, cmd const[DRM_IOCTL_MSM_GEM_MADVISE], arg ptr[inout, drm_msm_gem_madvise])
ioctl$DRM_IOCTL_MSM_SUBMITQUEUE_NEW(fd fd_msm, cmd const[DRM_IOCTL_MSM_SUBMITQUEUE_NEW], arg ptr[inout, drm_msm_submitqueue])
ioctl$DRM_IOCTL_MSM_SUBMITQUEUE_CLOSE(fd fd_msm, cmd const[DRM_IOCTL_MSM_SUBMITQUEUE_CLOSE], arg ptr[in, int32])
ioctl$DRM_IOCTL_MSM_SUBMITQUEUE_QUERY(fd fd_msm, cmd const[DRM_IOCTL_MSM_SUBMITQUEUE_QUERY], arg ptr[inout, drm_msm_submitqueue_query])
mmap$DRM_MSM(addr vma, len len[addr], prot flags[mmap_prot], flags flags[mmap_flags], fd fd_msm, offset fileoff)
_ = __NR_mmap2
drm_msm_gem_new {
size int64
flags flags[msm_gem_new_flags, int32]
handle drm_gem_handle
}
drm_msm_gem_info {
handle drm_gem_handle
info flags[msm_gem_info_flags, int32]
value int64
len len[value, int32]
pad const[0, int32]
}
drm_msm_param {
pipe flags[msm_pipe_flags, int32]
param flags[msm_param_flags, int32]
value int64
}
drm_msm_timespec {
tv_sec int64
tv_nsec int64
}
drm_msm_gem_cpu_prep {
handle drm_gem_handle
op flags[msm_gem_cpu_prep_flags, int32]
timeout drm_msm_timespec (in)
}
drm_msm_gem_cpu_fini {
handle drm_gem_handle
}
drm_msm_gem_submit_reloc {
submit_offset int32
or int32
shift int32
reloc_idx int32
reloc_offset int64
}
drm_msm_gem_submit_cmd {
type flags[msm_gem_submit_cmd_flags, int32]
submit_idx int32
submit_offset int32
size int32
pad const[0, int32]
nr_relocs len[relocs, int32]
relocs ptr64[in, array[drm_msm_gem_submit_reloc]]
}
drm_msm_gem_submit_bo {
flags flags[msm_gem_submit_bo_flags, int32]
handle drm_gem_handle
presumed int64
}
drm_msm_gem_submit_syncobj {
handle drm_syncobj
flags flags[msm_gem_submit_syncobj_flags, int32]
point int64
}
drm_msm_gem_submit {
flags flags[msm_gem_submit_flags, int32]
fence int32
nr_bos len[bos, int32]
nr_cmds len[cmds, int32]
bos ptr64[in, array[drm_msm_gem_submit_bo]]
cmds ptr64[in, array[drm_msm_gem_submit_cmd]]
fence_fd fd_sync_file[opt]
queueid int32
in_syncobjs ptr64[in, array[drm_msm_gem_submit_syncobj]]
out_syncobjs ptr64[in, array[drm_msm_gem_submit_syncobj]]
nr_in_syncobjs len[in_syncobjs, int32]
nr_out_syncobjs len[out_syncobjs, int32]
syncobj_stride int32
pad const[0, int32]
}
drm_msm_wait_fence {
fence int32
pad const[0, int32]
timeout drm_msm_timespec (in)
queueid int32
}
drm_msm_gem_madvise {
handle drm_gem_handle
madv flags[msm_gem_madvise_flags, int32]
retained int32
}
drm_msm_submitqueue {
flags flags[msm_submitqueue_flags, int32]
prio int32
id int32
}
drm_msm_submitqueue_query {
data int64
id int32
param flags[msm_submitqueue_query_flags, int32]
len int32
pad const[0, int32]
}
msm_gem_new_flags = MSM_BO_SCANOUT, MSM_BO_GPU_READONLY, MSM_BO_CACHE_MASK, MSM_BO_CACHED, MSM_BO_WC, MSM_BO_UNCACHED
msm_gem_info_flags = MSM_INFO_GET_OFFSET, MSM_INFO_GET_IOVA, MSM_INFO_SET_NAME, MSM_INFO_GET_NAME
msm_param_flags = MSM_PARAM_GPU_ID, MSM_PARAM_GMEM_SIZE, MSM_PARAM_CHIP_ID, MSM_PARAM_MAX_FREQ, MSM_PARAM_TIMESTAMP, MSM_PARAM_GMEM_BASE, MSM_PARAM_NR_RINGS, MSM_PARAM_PP_PGTABLE, MSM_PARAM_FAULTS
msm_gem_cpu_prep_flags = MSM_PREP_READ, MSM_PREP_WRITE, MSM_PREP_NOSYNC
msm_pipe_flags = MSM_PIPE_NONE, MSM_PIPE_2D0, MSM_PIPE_2D1, MSM_PIPE_3D0
msm_gem_submit_flags = MSM_PIPE_NONE, MSM_PIPE_2D0, MSM_PIPE_2D1, MSM_PIPE_3D0, MSM_SUBMIT_NO_IMPLICIT, MSM_SUBMIT_FENCE_FD_IN, MSM_SUBMIT_FENCE_FD_OUT, MSM_SUBMIT_SUDO, MSM_SUBMIT_SYNCOBJ_IN, MSM_SUBMIT_SYNCOBJ_OUT
msm_gem_submit_bo_flags = MSM_SUBMIT_BO_READ, MSM_SUBMIT_BO_WRITE, MSM_SUBMIT_BO_DUMP
msm_gem_submit_syncobj_flags = MSM_SUBMIT_SYNCOBJ_RESET
msm_gem_submit_cmd_flags = MSM_SUBMIT_CMD_BUF, MSM_SUBMIT_CMD_IB_TARGET_BUF, MSM_SUBMIT_CMD_CTX_RESTORE_BUF
msm_gem_madvise_flags = MSM_MADV_WILLNEED, MSM_MADV_DONTNEED, __MSM_MADV_PURGED
msm_submitqueue_flags = MSM_SUBMITQUEUE_FLAGS
msm_submitqueue_query_flags = MSM_SUBMITQUEUE_PARAM_FAULTS
|
